Site to Site Tunnel not passing Windows traffic

Answered Question

Have an issue with a static to dynamic Site to Site VPN between 2 ASA5505. Tunnel is up, and can ping both directions not a problem, can also web browse and RDP from remote site. However, i cannot browse the network nor get any DC authentication to pass.

My VPN clients do all of this no problem. I'm posting the config from the remote site.

The config may have gotten a little dirtied up in attempts, please let me know if you see anything, i'm leaning towards the ACL's.


sho run
: Saved
:
ASA Version 8.2(5)22
!
hostname ASA-2
domain-name internal.monaco.com
enable password xxxxx encrypted
passwd xxxx encrypted
names
!
interface Ethernet0/0
description External Connection
switchport access vlan 2
!
interface Ethernet0/1
description Internal LAN
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif Inside
security-level 100
ip address 10.16.2.1 255.255.255.0
!
interface Vlan2
nameif Outside
security-level 0
ip address dhcp setroute
!
group-object BasicPortsUDP
object-group network Main
network-object 172.16.0.0 255.255.0.0
object-group network Internal
group-object Local
access-list Inside_in remark --- BEGIN: Out bound ACL (Updated: 20AUG2013) ---
access-list Inside_in remark --> Allow common Internet use
access-list Inside_in extended permit tcp any any object-group OutgoingTCP
access-list Inside_in extended permit udp any any object-group OutgoingUDP
access-list Inside_in extended permit icmp any any
access-list Inside_in remark --> Explicit DENY ANY
access-list Inside_in extended deny ip any any
access-list Inside_in remark --- END -------------------------------------------
access-list Inside_in remark --> Allow VPN Traffic to Main
access-list Inside_in extended permit ip object-group Internal object-group Main
access-list Inside_in extended permit ip object-group Main object-group Internal

moved to here
access-list Outside_in remark --- BEGIN: In bound ACL (Updated: 12-15-2006) ---
access-list Outside_in extended permit ip object-group Main object-group Internal
access-list Outside_in remark -> Permit ICMP Traffic
access-list Outside_in extended permit icmp any any echo-reply
access-list Outside_in extended permit icmp any any unreachable
access-list Outside_in extended permit icmp any any traceroute
access-list Outside_in remark -> Explicit DENY ANY
access-list Outside_in extended deny ip any any
access-list Outside_in remark --- END -------------------------------------------
access-list no_nat extended permit ip object-group Local object-group Main
access-list VPN_to_Main extended permit ip object-group Local object-group Main
access-list nat extended permit ip any any
pager lines 24

Correct Answer by Santhosha Shetty about 3 years 11 months ago

Hi Brad,


Since the issue is seen for speciifc traffic/application, could you please collect the packet tracer (in outbound direcion)output on both ASAs to verify if the the flow is correct for non-working traffic.


Collect the following:


packet-tracer input   detailed


Thanks,


Santhosh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Santhosha Shetty Sun, 08/25/2013 - 03:07
User Badges:
  • Cisco Employee,

Hi Brad,


Since the issue is seen for speciifc traffic/application, could you please collect the packet tracer (in outbound direcion)output on both ASAs to verify if the the flow is correct for non-working traffic.


Collect the following:


packet-tracer input   detailed


Thanks,


Santhosh

Actions

This Discussion

Related Content